Evaluating Corporate Compliance Programs – Five Things You Need to Get It Right
Considering the costs, risks and potential damages of compliance failures, effective and ongoing methods to evaluate a corporate compliance program is imperative. A systematic approach to track and record events, understand the current operational situation and anticipate future requirements will help decrease costs and risks, improve performance and deliver a robust and adaptable compliance regime.
As in many other sectors, compliance systems are increasingly taking advantage of new technologies to deliver significant gains. The RegTech industry has grown at breakneck speed and is estimated to become a $120 billion industry by 2020. It’s not simply about technology though; the question is how can an organization leverage their talent to best use new tools?
What are the goals of a compliance program? What systems are currently in place and what is the best-case scenario to build toward? How are staff being deployed and what obstacles are they facing? How are workflows structured and what gaps or frictions require adjustments?
Avoiding Compliance Failures
Of course, it’s best to make these analyses before a major failure happens. If an “event” happens, an organization might be facing a different type of evaluation: an investigation by prosecutors. The U.S. Department of Justice (DOJ) published an Evaluation of Corporate Compliance Programs which sheds light on what prosecutors might consider, as well as opportunities to avoid failures, or at least mitigate their impact.
The document has 112 questions to consider ranging from root cause analysis and prior indications to third-party management. According to legal experts Ronald H. Levine and Carolyn H. Kendall, it’s not only an organization’s existing compliance policies, but “the assumptions, methodology, design and judgments embedded in those policies; and the proactive character and predictive accuracy of those policies.”
Global law firm Baker & McKenzie has created a list of five essential elements of corporate compliance, which offers a structure to analyze a program similar to what the DOJ discusses:
An effective compliance program starts at the top; how many resources are dedicated and how much importance is ascribed to compliance? Is it given its proper support and does it have the budget, people and clout to properly perform its duties? Is the compliance team given effective autonomy and is there collaborative efforts between senior leaders and other stakeholders in a “shared commitment” to promote compliance?
What methods does the organization use to identify, analyze and understand risk? What levels and types of risk is the organization comfortable with and is that reasonable for the situation? What information and metrics are being collected to detect risk and how is this information informing your program?
Standards and Controls
What are your compliance policies and procedures? Clearly thought out and written down policies create standards for the organization and indisputable evidence for the record. Standards are one thing, but implementing those into workable procedures ensures practical application. Appropriate measures to set responsibilities, controls and approval processes are required.
Training and Communications
Does staff have the appropriate knowledge to perform their compliance role? Simply having a training program is not enough; an effective training program adapts to the learning requirements of the intended audience and is tailored to the risk level of the role. And, it’s not a one-time event but is an ongoing program that updates the knowledge and capabilities of staff.
Monitoring, Auditing and Response
As all aspects of compliance are in constant flux, from the rules themselves to business operations, compliance programs need methods to analyze and adapt on an ongoing basis. How is information gathered, flagged, reported and how are those steps themselves analyzed? What are the incentives for compliance and what disciplinary measures are in place?
RegTech for Compliance
When considering the five essential elements of compliance, it’s interesting to note where technology can provide value. Of the five, only the leadership aspect has no significant place for technology.
Technology can assist risk assessment. Setting up workflows to analyze cases and determine the level of rigor each case requires speeds up the overall process and focuses efforts where extra due diligence is advisable. For example, if a customer transaction level is especially high it can trigger a flag for further inspection.
While technology can’t create policies, as that requires ethical judgements and determinations, it can help analyze the millions of pages of regulations to help pinpoint what specific factors to consider. Many procedures though, are entirely automatable; bulk, rote tasks despised by staff and prone to errors are prime targets for automation and not only increase productivity but staff morale as well. Controls and checks are also prime candidates for technology as they can keep an ever-watching eye on activities.
As for training and communications, even in these human-centric fields technology has a powerful value proposition. New educational techniques such as video-training, corporate communication tools, wikis, interactive software and other online systems can personalize training and maximize communication effectiveness.
With all the data flowing through modern systems, monitoring and analysis tools are especially suited for technology. Predictive and behavioral analytics can help spot patterns, flag problems and optimize compliance performance across the organization.
An Evaluation Culture
Compliance, by its nature, is about evaluation; evaluating regulations, evaluating risk and evaluating compliance performance. The ongoing scaling of compliance requirements and technological capabilities also requires ongoing analysis. While people often enjoy marking a task complete and moving on, compliance does not have that luxury. Developing a culture and systems that not only perform, but thrive, in a state of perpetual change is the optimum outcome. As Heraclitus observes, “the only thing that is constant is change.” A corporate compliance program that accounts for constant change will help the organization limit its exposure to risk and react more effectively to any turmoil that comes its way.